The latest git now has a fix for this exploit in an inc-recursive transfer (the default). See commit: 962f8b90045ab331fc04c9e65f80f1a53e68243b
A transfer with --no-inc-recursive set (or an option that implies it) will sort the filenames wrong, so it would take some more malicous-sender helper code to deal with that, but it should be possible. I'll be looking at how best to deal with that code path next.